RE: Allaire security problem - anyone know solution?

Thu, 03 Aug 2000 13:34:12 -0700 

> One of my hosting clients has just made me aware of this
> major security problem and I'm wondering if anyone knows
> how to eliminate it?
>
> Try calling the application.cfm template on any CF site with
> +.htr appended to the end of the url. You'll first see a blank
> page. Now hit refresh/reload and you'll see the full code of
> said application.cfm
>
> e.g. http://www.support.alllaire.com/application.cfm+.htr
>
> Can someone please tell me there is a patch for this. It
> seems to happen on all CFserver versions 4.x + running IS4.0
> with Service pack 5

This isn't a CF problem, really. I don't know if there's a patch, per se,
but there are two easy solutions.

1. Remove the .htr extension from the list of supported ISAPI extensions in
IIS. You can do this for all sites, or for each virtual server. You should
remove all extensions that you're not going to use; there are about ten or
so, generally, for ASP and other things. You should do this as a matter of
course when setting up IIS as a production server. Once you do this, someone
putting this extension at the end of a URL will get a 404 error message from
IIS.

2. Remove the right to read files from whatever user the CF server is
running as (typically SYSTEM). All CF needs to be able to do is execute.
This is a general thing that you can do to tighten up script engines in
general. With IIS, you'll also want to prevent the IIS anonymous user from
reading the contents of the files. With NT 4 SP 5, you can do this by
setting the IIS anonymous user so that it has "read permissions", "read
attributes" and "execute file" permission, but not the rights to read the
contents of the file.

Again, both of these are things that you should already be doing on NT
production web servers! If you do these things, you won't have to worry
about the vast majority of IIS "exploits".

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444

------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Reply via email to